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DAAG  55-98-1-0471  Abstract 


We  describe  several  techniques  for  verifying  infinite-state  systems  via  finite-state  abstractions. 
Diagrams  are  top-down  property-driven  abstractions,  which  are  especially  suited  for 
compositional,  assume-guarantee  reasoning.  Predicate  abstraction  uses  a  bottom-up  approach 
for  generating  abstractions;  invariant  generation  techniques  are  applied  to  automatically  generate 
the  required  predicates.  Extended  finite-state  abstractions  allow  inclusion  of  extra  information 
produced  by  the  deductive  abstraction,  which  can  be  used  by  the  model  checker  to  reduce  the 
number  of  spurious  counterexamples. 

These  methods  have  been  or  currently  are  being  implemented  in  the  Stanford  Temporal  Prover. 
The  methods  have  been  applied  in  the  analysis  of  a  medical  device. 


Final  Progress  Report 
ARO  Contract  DAAG  55-98-1-0471 
November  30,  2001 


P.L:  Prof.  Zohar  Manna 
Computer  Science  Department 
Stanford  University 
Stanford,  CA.  94305-9045 


Project  Title:  Abstraction  and  Compositionality  for  the  Verification  of 
Infinite-State  Reactive  Systems 


Problem  Statement 

Software  systems  are  usually  infinite- state  ^  since  they  contain  system  vari¬ 
ables  over  unbounded  domains,  such  as  integers,  lists,  trees,  and  other  data 
types.  Most  finite-state  verification  methods,  such  as  model  checking,  can¬ 
not  be  applied  directly  to  such  systems.  The  application  of  temporal  ver¬ 
ification  techniques  to  software  systems  is  further  limited  by  the  size  and 
complexity  of  the  systems  analyzed. 

Deductive  verification,  which  relies  on  general  theorem-proving  and  user 
interaction,  provides  complete  proof  systems  that  can,  in  principle,  prove 
the  correctness  of  any  property  over  an  infinite-state  system,  provided  the 
property  is  indeed  valid  for  that  system.  However,  these  methods  are  also 
limited  by  the  size  and  complexity  of  the  system  being  analyzed,  becoming 
much  more  laborious  as  the  system  complexity  grows. 

Verification  methods  analogous  to  those  used  to  manage  complexity  in 
software  design  can  be  used  to  overcome  these  limitations.  Modular  veri¬ 
fication  follows  the  classic  divide-and-conquer  paradigm,  where  portions  of 
a  complex  system  are  analyzed  independently  of  each  other.  It  holds  the 
promise  of  proof  reuse  and  the  creation  of  libraries  of  verified  components. 
Abstraction  is  based  on  ignoring  details  as  much  as  possible,  often  simplify¬ 
ing  the  domain  of  computation  of  the  original  system.  This  may  allow,  for 
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instance,  abstracting  infinite-state  systems  to  finite-state  ones  that  can  be 
more  easily  model  checked. 


Summary  of  Results 

Diagram  Verification 

Diagrams  are  property-driven  abstractions  of  a  system:  verification  is  only 
concerned  with  those  aspects  of  the  program  that  are  directly  related  to  the 
property,  thus  reducing  the  burden  on  the  user.  The  theory  of  diagrams  and 
their  application  in  the  verification  of  reactive,  real-time  and  hybrid  systems 
is  described  in  [Sip99]. 

Diagrams  can  be  applied  compositionally.  Diagrams  are  constructed  and 
justified  for  each  component  individually,  taking  into  account  environment 
assumptions  and  restrictions.  Being  automata-based,  these  diagrams  can 
then  be  composed  by  taking  products  of  automata,  automatically  discharg¬ 
ing  the  assumptions,  again  justified  by  first-order  verification  conditions. 

Diagrams  can  also  be  used  to  prove  safety  properties  of  parameterized 
systems,  that  is,  systems  that  consist  of  an  unspecified  number  of  identical 
components  that  interact  with  each  other.  To  prove  liveness  properties  of 
parameterized  systems  we  developed  the  technique  of  dynamic  induction  on 
diagrams[MS99],  which  allows  the  verification  of  the  property  for  a  single 
component  to  be  used  to  infer  the  validity  of  the  property  for  the  global 
system,  under  the  appropriate  ordering  conditions. 

Automatic  generation  of  diagrams  is  hampered  by  the  fact  that  the  start¬ 
ing  diagram,  the  automaton  for  the  property  to  be  proven,  is  exponential  in 
the  size  of  the  formula.  To  alleviate  this  problem,  we  explored  the  use  of  al¬ 
ternating  automata,  which  are  linear  in  the  size  of  the  formula.  In  [MSOO]  we 
demonstrated  the  use  of  alternating  automata  in  the  deductive  verification 
of  safety  properties.  We  are  currently  extending  this  to  the  deductive  veri¬ 
fication  of  progress  properties.  Although  generally  applicable,  this  method 
appears  to  be  especially  suitable  for  assume-guarantee  properties. 

Program  Abstraction  by  Invariant  Generation 

In  [CU98]  we  presented  a  two-phase  approach  to  program  abstraction.  It 
first  uses  theorem  proving  to  construct  a  finite-state  abstraction  of  an  infinite- 
state  program,  and  then  finite-state  analysis  to  compute  the  reachable  states 
of  the  abstraction.  This  set  of  reachable  abstract  states  is  then  used  to  verify 
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temporal  properties  of  the  concrete  system.  This  method,  while  highly  auto¬ 
mated,  requires  user  guidance  in  the  form  of  a  finite  set  of  atomic  assertions 
over  the  variables  of  the  concrete  program. 

Invariant  generation  can  be  used  to  generate  these  abstractions  auto¬ 
matically.  We  use  the  decidable  theory  of  linear  inequalities  as  a  basis  to 
discover  program  invariants.  Our  approach  is  to  symbolically  simulate  the 
program  for  a  number  of  program  steps,  representing  them  by  linear  sys¬ 
tems,  and  then  search  for  invariants  among  the  common  consequences  of 
these  systems.  The  advantage  of  this  deductive  variant  of  linear  invariant 
generation  is  its  generalizability:  it  admits  the  presence  of  disequalities  and 
strict  inequalities,  thereby  enabling  the  generation  of  more  precise  invariants 
in,  for  example,  the  branches  of  conditional  statements. 

We  have  also  used  this  technique  to  automatically  generate  ranking  func¬ 
tions  for  establishing  loop  termination  [CSOl].  The  technique  reduces  the 
search  for  linear  ranking  functions  to  the  problem  of  finding  certain  conse¬ 
quences  of  two  linear  systems  -  one  approximating  the  transition  relation 
around  the  loop  and  the  other  approximating  the  states  reachable  while 
in  the  loop.  By  manipulating  these  systems,  the  algorithm  isolates  those 
consequences  that  define  linear  ranking  functions. 

Extended  Finite-state  Abstraction 

Many  deductive  and  deductive-algorithmic  verification  methods  explicitly 
or  implicitly  construct  finite-state  system  abstractions,  which  are  explic¬ 
itly  or  implicitly  model  checked.  We  show  how  such  abstractions  can  be 
represented,  combined  and  model  checked  in  a  general  way.  For  this,  we 
define  a  class  of  extended  finite-state  abstractions,  and  present  an  algorith¬ 
mic  model  checking  procedure  for  them.  This  procedure  uses  all  the  in¬ 
formation  produced  by  the  deductive  algorithmic  methods,  in  a  finite-state 
format  that  can  be  easily  and  incrementally  combined.  Besides  a  standard 
VCTL*-preserving  safety  component,  the  extended  abstractions  include  ex¬ 
tra  bounds  on  fair  transitions,  well-founded  orders,  and  constrained  tran¬ 
sition  relations  for  checking  existential  properties  or  the  generation  of  LTL 
counterexamples.  This  approach  minimizes  the  need  for  user  interaction 
and  maximizes  the  impact  of  the  available  automated  deduction  and  model 
checking  tools.  Once  proved,  verification  conditions  are  re-used  as  much 
as  possible,  leaving  the  temporal  and  combinatorial  reasoning  to  automatic 
tools.  The  method  is  described  in  detail  in  [MSU99,  UriOO,  UriOl]. 


3 


Applications 

In  the  final  year  of  the  contract  we  have  started  to  apply  above  methods 
to  the  analysis  of  a  medical  device:  a  computer-assisted  resuscitation  de¬ 
vice  developed  by  the  Walter  Reed  Army  Institute  of  Research  (WRAIR). 
Based  on  detailed  tagged  requirements  developed  by  physicians  at  WRAIR, 
a  clocked  transition  system  was  created  to  model  the  system.  The  system, 
consisting  of  some  400  transitions,  was  divided  into  modules,  interacting  by 
shared  variables,  and  provided  with  environment  assumptions  both  on  tim¬ 
ing  behavior  and  data  modification.  Abstraction  techniques  and  modular 
reasoning  were  used  to  check  the  system  for  infinite  loops.  Further  analysis 
of  this  system  is  planned  when  funding  is  secured. 

Implementation 

The  modular  verification  techniques  proposed  in  [FMS98,  BMSUOl]  were 
implemented  in  STeP  (Stanford  Temporal  Prover)  for  reactive  and  real-time 
"systems.  We  are  currently  implementing  these  methods  for  hybrid  systems. 
An  overview  of  the  STeP  system  can  be  found  in  [BBC+00]. 

Except  for  the  first-order  theorem-proving  component,  STeP  has  been 
reimplemented  in  Java,  with  the  objective  to  obtain  a  more  modular  ar¬ 
chitecture  that  is  easily  extensible  with  new  methods  and  computational 
models.  It  allows  for  quick  experimentation  to  evaluate  new  techniques. 
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